website risk assessment/risk management

Are there any common risks that can be associated with a company website - we need to do a risk assessment to ensure we have plans/controls/processes in place for all common risks associated with a companies website - main ones I could think of were effective content management (e.g. no broken links, up to date information, compliant with accessibility standards for all user groups) to reduce the risk of customer dissatisfaction/reputational damage, availability, e.g. controls for minimising downtime for hardware failure etc, security, e.g. compromise of site/server etc. I suppose performance, e.g. ensure suitable platform/hardware could be another risk.
Who is Participating?
Dr. KlahnPrincipal Software EngineerCommented:
Keep the web site outside the corporate network proper, in its own DMZ.  Better, co-host the web site or put it on a commercial hosting server so that it's not physically associated with your corporate LAN at all.

Up-to-date backups, which depends on the amount of risk you are willing to assume.  This might mean monthly, weekly, daily or even shorter intervals.

In a one-server environment, at least one warm-redundant server so one can take over immediately on failure of the primary.  In a multiple-server environment, continuous consistency checking between the servers so that any infected machine can be taken down quickly.

Hire a "gray hat" intrusion team periodically and have them attempt to disrupt the server operation.

Protection against DDoS.  You'll run into it eventually, best to address it right from the beginning.

Automatic IP lockout of troublesome IP blocks and individual addresses.

And so much more.
btanExec ConsultantCommented:
Baseline controls should address minimally the OWASP top vulnerabilities esp the injection attacks like XSS, SQLi, Data exposure and use of vulnerable component as mentioned on CMS.
There are also the high impact web attack as shared by expert like DDOS at network and application level (see link for further assessment) and not forgetting the Web defacement (which may not be just visual changes but injected files stealthy into the server).
Also good to take a "reverse" view in event the web system lacks these basic control or checks

  1. Input and data validation (injection)
  2. Authentication & Authorization (unauthorized access)
  3. Configuration management (unhardened)
  4. Sensitive data (leakage)
  5. Session management (hijacking)
  6. Cryptography (tamper & intercept)
  7. Parameter manipulation (corruption I/p)
  8. Exception management (fingerprint state)
  9. Auditing and logging (delay detection)
Dr. KlahnPrincipal Software EngineerCommented:
btanExec ConsultantCommented:
For author advice
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.